NomadScanner – A Stealthy Windows Port Scanner For Red Teaming

NomadScanner is a Windows-based port scanner designed with OPSEC in mind, making it ideal for authorized red team engagements where stealth is crucial. It randomizes every connection to blend into legitimate traffic, avoiding detection by security systems.

Key Features:

Random source ports (49152–65535) and pre/post connection jitter
Variable IP TTL, TOS, and “Don’t Fragment” flags
Dynamic TCP window sizing and Nagle disabling
Polymorphic HTTP probes (GET/HEAD/OPTIONS shuffling)
Random User-Agent strings and variable padding
Domain fronting support (custom Host header)
Custom payload templates and banner grabbing
Port range scanning with exclusions (e.g., 1-1024, 135, 445)
Hostname spoofing and MAC-spoof stub for future extension
Multithreaded with configurable thread count and delays

The tool is open-source and can be compiled using Visual Studio or MinGW.

🔗 GitHub: https://github.com/django-88/NomadScanner

You Should Know: Practical Usage & Commands

1. Compiling NomadScanner

To compile from source:

git clone https://github.com/django-88/NomadScanner.git 
cd NomadScanner 
 For MinGW: 
gcc -o NomadScanner main.c -lws2_32 -lpthread

2. Basic Scanning

NomadScanner.exe -t 192.168.1.1 -p 80,443,22,3389

3. Advanced Stealth Scanning

NomadScanner.exe -t 10.0.0.5 -p 1-1024 --randomize-ports --jitter 500 --ttl 64

4. HTTP Polymorphic Probes

NomadScanner.exe -t example.com -p 80,443 --http-probe --random-user-agent

5. Network Evasion Techniques

TTL Manipulation:

NomadScanner.exe -t target.com --ttl 128

IP Fragmentation Avoidance:

NomadScanner.exe -t 192.168.1.100 --dont-fragment

6. Thread Control & Delays

NomadScanner.exe -t 10.10.10.10 -p 1-65535 --threads 50 --delay 100

7. Banner Grabbing & Custom Payloads

NomadScanner.exe -t ftp.server.com -p 21 --banner-grab --payload "USER anonymous\r\nPASS anonymous\r\n"

What Undercode Say

NomadScanner is a powerful tool for covert reconnaissance, especially in red team operations where avoiding detection is critical. By leveraging randomized network behavior, it effectively bypasses basic IDS/IPS systems.

Additional Useful Commands for Red Teaming:

Nmap Alternative (Stealth Scan):

nmap -sS -Pn -T2 --randomize-hosts --data-length 24 target.com

Windows Firewall Bypass (CMD):

netsh advfirewall firewall add rule name="LegitApp" dir=in action=allow program="C:\path\to\NomadScanner.exe"

Linux Traffic Masking:

sudo tc qdisc add dev eth0 root netem delay 100ms 20ms

MAC Spoofing (Linux):

sudo ifconfig eth0 down 
sudo ifconfig eth0 hw ether 00:11:22:33:44:55 
sudo ifconfig eth0 up

For maximum stealth, combine NomadScanner with proxychains or TOR routing:

proxychains NomadScanner.exe -t internal.target -p 22,80,443

Expected Output:

A detailed, stealthy port scan report with randomized traffic patterns, evading standard network monitoring while identifying open ports and services.